Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-1697
published 1 month ago
Permalink CVE-2026-32741
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

libheif has a heap buffer overflow in decode_mask_image()

libheif
  • ==< 1.22.0
NIXPKGS-2026-1699
published 1 month ago
Permalink CVE-2026-32740
8.8 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

libheif: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing

libheif
  • ==< 1.22.0
NIXPKGS-2026-1696
published 1 month ago
Permalink CVE-2026-32738
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

libheif has a Heap OOB Read/SEGV Crash via Zero samples_per_chunk

libheif
  • ==< 1.22.0
NIXPKGS-2026-1695
published 1 month ago
Permalink CVE-2026-32882
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

libheif: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride

libheif
  • ==< 1.22.0
NIXPKGS-2026-1693
published 1 month ago
Permalink CVE-2026-33633
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    9 packages
    • kittysay
    • kitty-img
    • kitty-themes
    • kittycad-kcl-lsp
    • mailman-hyperkitty
    • haskellPackages.discokitty
    • mailmanPackages.hyperkitty
    • mailmanPackages.mailman-hyperkitty
    • vimPlugins.nvim-treesitter-parsers.kitty
    1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

Kitty has a Heap Buffer Overflow in its Graphics Protocol Handler

kitty
  • ==< 0.47.0
NIXPKGS-2026-1694
published 1 month ago
Permalink CVE-2025-57798
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    2 packages
    • joplin-cli
    • joplin
    1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

Joplin has Denial of Service (DoS) via Uncontrolled Resource Allocation through Title Input

joplin
  • ==< 3.7.1
NIXPKGS-2026-1692
published 1 month ago
Permalink CVE-2026-47107
9.3 CRITICAL
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): None (N)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): High (H)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): None (N)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): High (H)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

Windmill < 1.703.2 Incorrect Default Permissions in nsjail Configuration

windmill
  • ==f8467f38c8a053117ce62f96684cfb15ef792f08
  • <1.703.2
NIXPKGS-2026-1691
published 1 month ago
Permalink CVE-2026-33642
9.9 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): High (H)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month, 1 week ago
  • @LeSuisse ignored
    9 packages
    • kittysay
    • kitty-img
    • kitty-themes
    • kittycad-kcl-lsp
    • mailman-hyperkitty
    • haskellPackages.discokitty
    • mailmanPackages.hyperkitty
    • mailmanPackages.mailman-hyperkitty
    • vimPlugins.nvim-treesitter-parsers.kitty
    1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds Check

kitty
  • ==< 0.47.0
NIXPKGS-2026-1690
published 1 month ago
Permalink CVE-2026-33278
9.1 CRITICAL
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): High (H)
  • Vulnerable System Impact Integrity (VI): High (H)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): High (H)
  • Subsequent System Impact Integrity (SI): High (H)
  • Subsequent System Impact Availability (SA): High (H)
  • Exploit Maturity (E): Unreported (U)
  • Provider Urgency (U): Red (Red)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): High (H)
  • Modified Vulnerable System Impact Integrity (MVI): High (H)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): High (H)
  • Modified Subsequent System Impact Integrity (MSI): High (H)
  • Modified Subsequent System Impact Availability (MSA): High (H)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month ago
  • @LeSuisse ignored
    16 packages
    • luaPackages.luaunbound
    • lua51Packages.luaunbound
    • lua52Packages.luaunbound
    • lua53Packages.luaunbound
    • lua54Packages.luaunbound
    • lua55Packages.luaunbound
    • luajitPackages.luaunbound
    • prometheus-unbound-exporter
    • python312Packages.pyunbound
    • python313Packages.pyunbound
    • python314Packages.pyunbound
    • unbound-with-systemd
    • haskellPackages.unbound-generics-unify
    • haskellPackages.unbound-kind-generics
    • haskellPackages.unbounded-delays
    • haskellPackages.unbound-generics
    1 month ago
  • @LeSuisse ignored maintainer @Scrumplex 1 month ago maintainer.ignore
  • @LeSuisse restored package unbound-with-systemd 1 month ago
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

Possible arbitrary code execution during DNSSEC validation

Unbound
  • <1.25.1
NIXPKGS-2026-1689
published 1 month ago
Permalink CVE-2026-47783
8.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 month ago by @LeSuisse Activity log
  • Created suggestion 1 month ago
  • @LeSuisse ignored
    20 packages
    • libmemcached
    • memcachedTestHook
    • memcached-exporter
    • phpExtensions.memcached
    • php82Extensions.memcached
    • php83Extensions.memcached
    • php84Extensions.memcached
    • php85Extensions.memcached
    • perlPackages.CacheMemcached
    • perl5Packages.CacheMemcached
    • perl538Packages.CacheMemcached
    • perl540Packages.CacheMemcached
    • perlPackages.CacheMemcachedFast
    • perl5Packages.CacheMemcachedFast
    • perl538Packages.CacheMemcachedFast
    • perl540Packages.CacheMemcachedFast
    • python312Packages.python-memcached
    • python313Packages.python-memcached
    • python314Packages.python-memcached
    • chickenPackages_5.chickenEggs.memcached
    1 month ago
  • @LeSuisse ignored maintainer @coreyoconnor 1 month ago maintainer.ignore
  • @LeSuisse accepted 1 month ago
  • @LeSuisse published on GitHub 1 month ago

In memcached before 1.6.42, username data for SASL password database …

memcached
  • <1.6.42